Government hates a policy vacuum. So, while CESG, the UK government’s National Technical Authority for Information Assurance, has brought about changes to the management of Internet Security within government offices, many still rely on the legacy IS1 frameworks to manage their information risk.
No longer legally bound by the cumbersome process of IS 1/2, the new focus is on balance risk management, resilience and incident response. The old process was criticised for being un-wieldy, inevitably leaving system protection behind the curve. By putting the emphasis on guidelines and outcomes, rather than policy and dogma, the new system hopes to keep one step ahead of threats and attackers.
With this shift in focus, there is the potential for public sector risk management doctrine to become dramatically more dynamic. But, while this is ultimately a good thing because it will mean a more agile and responsive framework to operate within the increasingly dynamic risk environment, it will also be increasingly difficult for traditional risk managers (in all sectors) as the process becomes dependent on decision making under conditions of uncertainty as well as the tacit acceptance that mistakes can and will be made.
Protection of systems, particularly relating to the use of social media within the workplace, now relies on an individual practitioner’s capacity to respond effectively to a wide range of different events without recourse to a standardised process within which they can operate. Significantly, individual practitioners must balance this new freedom with the need to ensure that risks can be managed across organisational and technical boundaries.
Where, in the past, considerable weight was given to process (sometimes 300 page documents were produced in support of IS 1 & 2), now the emphasis is on timely effect. Compliance has become about behaviour not policy. For highly skilled practitioners this will not present a problem but for those with less experience and confidence, it can be a heavy burden of individual responsibility.
We now need to focus on doctrine rather than dogma. (I see doctrine as the process by which we write down what we do so that we can do it better; where dogma is when we write things down for the sake of it)! Policy is a reflection of management intent and in today’s world, our doctrine must be judged by its effect.
Regardless, there are many who feel uncomfortable taking responsibility for their own judgement without dogmatic policy to fall back on. The question in the long term is whether the CESG will hold its nerve, producing proportional doctrine or whether it and the practitioner community will feel compelled to generate another generation of dogma.